Vastaamo Hacker Freed: Why Finland’s Most Notorious Cybercriminal Is Out
On Thursday, the Helsinki Court of Appeal delivered a ruling that stirred widespread public reaction. Alexander Kivimäki, the 28-year-old convicted of hacking the Vastaamo psychotherapy center and carrying out subsequent extortion, was released from custody pending the final verdict. He left the courthouse immediately after the session, without returning to the detention facility where he had been held since February 2023. The decision does not equate to a declaration of innocence, but it allows him to continue the proceedings as a free man.
The court noted that Kivimäki had already spent nearly two and a half years in custody—time roughly equivalent to a portion of his imposed sentence. A year earlier, the district court had sentenced him to six years and three months in prison for aggravated cyberattacks and extortion. Under Finnish law, an individual with no recent convictions is required to serve only half of the designated sentence.
This means that Kivimäki had nearly completed the mandatory portion of his term even if the verdict were to stand. If the appellate court were to reduce his sentence, it would create a situation in which he had already spent more time behind bars than legally required, entitling him to state compensation. For this reason, the court deemed his continued detention unjustifiable.
Prosecutor Pasi Vainio opposed the release, but the panel of judges found the defense’s arguments more persuasive. In August, Kivimäki’s lawyer had already insisted on his release, or at the very least a travel ban in place of imprisonment, citing the risk of excessive pre-trial detention.
Speaking to journalists after the hearing, Kivimäki expressed little surprise at the ruling. He described his time in custody as “annoying” and admitted he would rather have spent it differently, though he did not consider the experience unbearably harsh. He offered no words of remorse to the victims of the Vastaamo breach, instead accusing the police and prosecutors of mishandling the investigation.
The trial examined extensive evidence. Investigators claimed the attack was launched from a virtual server containing material that tied directly to Kivimäki, including a family photograph and articles about him. While he admitted to uploading certain files, he denied the server’s involvement in the crime. The extortion was also linked to an IP address traced to an apartment in Barcelona. Kivimäki countered that he was in London at the time and dismissed the idea of him exploiting someone else’s connection as absurd, suggesting instead that a resident of that apartment might be the true culprit.
The breach of Vastaamo occurred in November 2018, when a database containing confidential patient information was illegally copied. In the autumn of 2020, an extortion campaign followed: criminals demanded money in exchange for preventing public disclosure of the data. Eventually, personal records of thousands of clients were leaked, with the total breach affecting around 33,000 individuals, 24,000 of whom contacted the police.
After years of investigation, Kivimäki was finally arrested and brought to trial. The first court found him guilty and sentenced him to a lengthy prison term. The prosecution, in its appeal, is seeking to increase the sentence to seven years—the maximum penalty for the charges. Kivimäki, however, continues to protest his innocence and insists the earlier judgment was mistaken.
Hearings at the appellate court will continue until early November, after which a final ruling is expected—one that will conclude one of Finland’s most high-profile criminal cases, tied to the largest medical data breach in the nation’s history.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
